‘We borked the fix,’ developer candidly admits
Developers have taken a second stab at fixing a tricky flaw in cURL, the command-line tool and library for transferring data with URLs.
The utility, which is popular with developers, was subject to an information disclosure bug involving interactions with Telnet servers in June.
However, the attempted resolution of the flaw (CVE-2021-22898) failed to address an almost identical bug in the software which also presented an information disclosure, or potential data leak vulnerability in interacting with Telnet servers.
This latest vulnerability (CVE-2021-22925) represents only a medium risk flaw, but its similarity to the previous bug prompted cURL developer Daniel Stenberg to declare it as the “most embarrassing security advisory for cURL for a long time”.
“We meant to fix this in the previous release but borked the fix so the problem remained and now we fix the same problem *again*,” Stenberg admitted in a recent Twitter update.
Both issues were introduced by coding changes made in March 2001, meaning the underlying flaw had laid dormant in the software for more than 20 years.
As explained in a technical advisory, the latest flaw, like its predecessor, involves the seldom used -t command-line option to send variable=content pairs to Telnet servers:
Due to flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server. Therefore potentially revealing sensitive internal information to the server using a clear-text network protocol.
This could happen because curl did not call and use sscanf() correctly when parsing the string provided by the application.
“The previous cURL security vulnerability CVE-2021-22898 is almost identical to this one but the fix was insufficient, so this security vulnerability remained,” the developers added.
Neither the latest flaw nor its near-identical predecessor are reckoned to be the target of active exploitation. Users of the technology are nonetheless advised to update to the latest release of the software, version 7.78.0.
Stenberg said the experience had taught him a few lessons.
“I learned (again) that when you take shortcuts (like skipping writing test cases for it) – mistakes easily happen,” he told The Daily Swig.
The latest version of cURL, released on Wednesday (July 21), also fixed four other vulnerabilities of lesser note, as well as introducing a large number of non-security related fixes and coding tweaks.
A full rundown of the patch batch can be found on the cURL website.